CMMC vs. GSA’s New Cybersecurity Framework: What Contractors Should Know

Executive Brief

Confusion is growing as multiple federal cybersecurity frameworks evolve at the same time.

The Cybersecurity Maturity Model Certification (CMMC) is mandatory for Department of Defense (DoD) (also known as the Department of War) contractors handling Controlled Unclassified Information (CUI). At the same time, the General Services Administration (GSA) is advancing its own cybersecurity expectations.

These are not interchangeable frameworks.

They serve different agencies, different risk models, and different enforcement mechanisms.

Understanding where they overlap and where they diverge is critical if your organization works across both.

Dig deeper below to learn more.

Why This Matters Now

Federal cybersecurity requirements are converging but not standardizing.

• CMMC is moving into contract enforcement under 48 CFR
• GSA is increasing scrutiny on contractor cybersecurity posture
• Contractors are being asked to demonstrate compliance across multiple frameworks

The reality:

• You may need to meet both, depending on your contracts
• One does not automatically satisfy the other, despite overlapping control foundations

What Is CMMC

The Cybersecurity Maturity Model Certification (CMMC) is the DoD’s enforcement mechanism for protecting CUI.

At Level 2, it requires:

• Full implementation of 110 National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 rev 2 controls
• A third-party assessment by a Certified Third-Party Assessment Organization (C3PAO) in most cases
• Ongoing documentation including a System Security Plan (SSP) and Plans of Action and Milestones (POA&Ms)

Key point:

• CMMC is pass or fail at the contract level
• It directly determines eligibility

Contractors are already conducting gap assessments, refining scope, and preparing for formal assessments as enforcement approaches.

"Although GSA and DOW have chosen to require different revisions of NIST 800-171, both implement Executive Order 13566, which mandates a program for managing CUI across the entire executive branch," says Darryl Jones, IT Compliance Manager at ISI.

GSA Does Not Use CMMC

One of the most common misconceptions is that CMMC applies across all federal agencies.

It does not.

The General Services Administration (GSA) uses its own requirements for protecting Controlled Unclassified Information (CUI), formally titled:

IT Security Procedural Guide: Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations Process (CIO-IT Security 21-112, Rev. 1)

This GSA’s new guide is:

• Informed by National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev. 3 guidance
• Structurally like CMMC in some areas
• Designed specifically for civilian agency risk environments

A Five-Phase Compliance Model

GSA’s approach is built around a defined five-phase process.

Contractors must work through each phase to demonstrate compliance:

• Categorize the system and CUI
• Select applicable security controls
• Implement required controls
• Assess control effectiveness
• Authorize and continuously monitor the system

This lifecycle mirrors broader federal risk management practices, but it is enforced through GSA-specific policy.

Where They Overlap

There is shared DNA between the two frameworks as both:

• Use NIST standards as a foundation
• Focus on protecting CUI
• Require documented implementation, not just intent
• Expect ongoing monitoring and updates

If you are building toward NIST SP 800-171 for CMMC, it’s important to know that you are not starting from zero with GSA.

Where Contractors Get It Wrong

The biggest mistake is assuming equivalence.

Common assumptions:

• “We are CMMC ready, so we are covered for GSA”
• “We passed a GSA review, so CMMC will be easy”

Both are flawed; however, the key differences are:

Assessment model

• CMMC: Independent third-party certification through a C3PAO, benchmarked against NIST 800-171A Rev2
• GSA: Procedural validation aligned to its internal framework may require third-party assessment depending on contract or authorization requirements, benchmarked against NIST 800-171A Rev3

Enforcement

• CMMC: Required to win and keep DoD contracts
• GSA: Required to maintain schedule eligibility

Risk model

• CMMC: National security driven
• GSA: Civilian agency risk posture

What This Means Operationally

If you operate in both environments:

• CMMC certification alone is not sufficient for GSA
• You must map controls to GSA’s procedural guide and CMMC
• You must follow GSA’s five-phase validation process

This introduces:

• Additional documentation expectations
• Different approval workflows
• Separate oversight mechanisms

This is not just a technical exercise.

It requires coordination across compliance, IT, and leadership.

How to Approach It

Start with CMMC, then expand, not the other way around.

Here’s why:

• Department of Defense (DoD) contracts require a Supplier Performance Risk System (SPRS) score based on National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev. 2
• Your eligibility is tied to those 110 controls
• CMMC Level 2 assessments are aligned to that same baseline

If you start elsewhere, you risk misalignment with what actually determines contract eligibility.

Step 1: Anchor to CMMC and NIST SP 800-171 Rev. 2

Build your program around:

• The 110 controls in NIST SP 800-171 Rev. 2
• CMMC Level 2 assessment expectations
• Accurate SPRS scoring and supporting documentation

This ensures:

• Alignment with current DoD enforcement
• Documentation that matches what assessors expect
• A clear path to contract eligibility

Step 2: Map to GSA Requirements

Once your CMMC foundation is in place:

• Map your controls to GSA’s IT Security Procedural Guide
• Align documentation to its five-phase process
• Identify any gaps in authorization, monitoring, or system categorization

Keep in mind:

• GSA and DoD requirements can apply to the same contract environment
• Meeting one does not satisfy the other

Step 3: Expand Toward Future-State Alignment

As NIST SP 800-171 evolves:

• Use Rev. 2 as your baseline
• Layer in additional controls and objectives over time
• Avoid starting with newer revisions and working backward

This reduces the risk of gaps in current compliance requirements.

Focus Areas That Matter Most

Regardless of framework, execution is what determines success:

• Evidence quality
• SSP accuracy
• Consistent implementation across environments

As seen with SPRS scoring, your documentation must reflect reality, not intent.

CMMC and GSA’s cybersecurity framework are related, but not interchangeable.

If you treat them the same:

• You will miss requirements
• You will create risk
• You may lose opportunities

If you align them strategically:

• You reduce duplication
• You strengthen your security posture
• You stay competitive across federal markets

FAQs

Do I need CMMC for GSA contracts?

No. CMMC applies to DoD contracts. GSA uses its own requirements but still requires strong cybersecurity controls aligned to NIST standards.

If I am CMMC certified, am I compliant with GSA?

No. You must still follow GSA’s IT Security Procedural Guide and complete its five-phase process, even if your controls overlap.

Which should I prioritize first?

Prioritize based on your contract exposure. DoD work requires CMMC. GSA work requires alignment to its procedural framework. Many contractors must prepare for both.

Helpful ISI Links

• What Should Be in Your System Security Plan (SSP) for CMMC Level 2?
• CMMC Is Not a Cyber Problem. It’s a Business Risk Issue
• CMMC POA&Ms Explained: What You Can and Cannot Defer
• Do You Really Need a GRC Platform for CMMC?